4

I'm using kerberos authentication to login to ActiveDirectory. I'm doing it with GSSAPI.

Currently, I'm using krb5.conf file, that describes the realms, encryption algs and more, and the authentication works fine.

I would like avoid using this file. Can I programmatically configure kerberos, without using this file?

Thanks.

Matan
  • 680
  • 2
  • 14
  • 24

3 Answers3

2

You could try just configuring two system properties:

java.security.krb5.kdc
java.security.krb5.realm

Note that you can't programmatically configure anything beyond this if you are using JDK's native support for Kerberos.

If you are coding for Windows, I would warmly recommend using WAFFLE to achieve seamless Single Sign-On. It doesn't have a GSS-API adapter, though. I wrote my own, but only because the rest of the system already relied on it. You could just as easily skip GSS-API and program directly against WAFFLE.

Marko Topolnik
  • 195,646
  • 29
  • 319
  • 436
  • Hi, Thanks! i'm not sure that these properties will be enough. What about the encryption algorithm? – Matan Dec 18 '12 at 12:45
  • Just try them and see if the defaults are good enough. In my setup I found the defaults satisfactory. – Marko Topolnik Dec 18 '12 at 12:47
  • I know that I can't use the defaults since the encryption algorithms are not supported. – Matan Dec 18 '12 at 16:49
  • You mean your target server doesn't support the encryption algo of the service ticket? Since I think that even older Java versions support all the relevant algos. – Marko Topolnik Dec 18 '12 at 17:34
  • Yes, and I do like to be able to configure more than just the kdc and the realm (for example - default domain). – Matan Dec 20 '12 at 12:12
  • Then you are stuck with `krb5.conf`, unless you change your mind about the Kerberos implementation you intend to use. BTW as far as I recall, the encryption algorithm for the Service Ticket is not at all controlled by the client: the KDC decides this for itself. After all, this is strictly between the KDC and the target server; the client has no business with it. – Marko Topolnik Dec 20 '12 at 12:20
  • Thanks. What is this waffle? – Matan Dec 20 '12 at 12:23
  • It's a wrapper to Windows SSPI, which is a native Windows API equivalent to GSS-API. SSPI manages all tickets internally so it is zero-configuration. You just get the token you need to send to the server---just like you get from GSS-API. – Marko Topolnik Dec 20 '12 at 12:31
  • That's right, it works strictly on Windows. Let me also warn you that, to the best of my knowledge, JDK's native implementation doesn't do ticket renewal. When the ticket expires, it just stops working. – Marko Topolnik Dec 23 '12 at 10:52
  • @MarkoTopolnik Can you tell me which property to be set in krb5.ini file to extend the ticket lifetime using jdk? – Kumar Apr 13 '15 at 12:28
0

If you only want to avoid a system-wide krb5.conf, you can create it in your program in any directory with any name (say, in your home directory) and use it by setting the Java system property java.security.krb5.conf to its full path. I do believe this has to be done before you call any Kerberos related codes.

speedogoo
  • 2,828
  • 2
  • 17
  • 19
0

[From the MIT official Documents: https://web.mit.edu/kerberos/krb5-latest/doc/admin/index.html]

It seems we may not have the official methods to configure the Kerberos without the krb5.conf, even ignoring some parts of keytabs(They are defined to be auto fetched at TGS status, but sometimes things are getting wired) will lead to fatal errors.

ChunYu Wang
  • 11
  • 3